Mirai DDoS Malware Source Code is Out

The dangers of haphazardly connecting embedded devices to the Internet have manifested themselves in mammoth distributed denial-of-service attacks, in particular one two weeks ago against security journalist Brian Krebs’ website that peaked at better than 620 Gbps.

The situation worsened over the weekend when source code for the malware that triggered the attack against Krebs On Security was made public on the Hackforums website.

Krebs reported that the Mirai malware continuously scans the Internet looking for so-called Internet of Things devices such as routers, IP-powered cameras, DVRs and more. The malware exploits those devices that rely on default, weak, or hard-coded credentials, and forces them to join giant botnets used in DDoS attacks.

A message posted by the hacker who goes by the handle Anna-senpai said the increased attention on IoT-powered botnets in the days since the Krebs DDoS attack was the impetus for releasing the source code. Anna-senpai said Mirai has allowed him to harness 380,000 bots via weak telnet connections.

Mirai is now the second such malware family herding these IoT cats into botnets. At the end of August, Level 3 Communications disclosed research on the Bashlite malware, which the company said is responsible for compromising more than one million web-connected cameras and DVRs. Bashlite accelerated its activity quickly in July, communicating at first with a handful of bots and before long hundreds of thousands. Level 3 said 95 percent of bots were cameras and DVR, four percent home routers and the remaining devices Linux machines. Hundreds of command and control servers were used to communicate with these compromised endpoints.

IoT botnets could be the new normal very soon, experts said. Most IoT devices are difficult to manage, near impossible to update, and most are sitting ducks for attackers. Arbor Networks said it monitored 540 Gbps DDoS attacks targeting websites and organizations associated with the Rio Summer Olympic Games. The attackers fluctuated for months before the games, and ramped up during the 16 days of competition.

“It’s not a new phenomenon. What is new is that awareness has grown in the attacker community that there are lots of devices out there shipped with bad configurations like default credentials that are easy to exploit,” said Roland Dobbins, a principal engineer at Arbor Networks. “Actually, it’s pound-for-pound more efficient sending packets in terms of bandwidth than similarly sized general-purpose computers because they don’t have a heavy UI; typically, they’re running relatively lightly.”

Not only are they lightweight, but they’re usually always on and network managers are less likely to spot excessive activity emanating from these devices, Dobbins said. “Typically, they are unmanaged and deployed on networks where ops is not paying attention to ingress and egress traffic,” he said. “All of this comes together with the fact that there are zillions of these things. Attackers realize the can harness them into a botnet and launch high-volume attacks.”